explorer modifications

0

0ctinium

Weaksauce
Joined
Sep 10, 2002
Messages
106
im not sure if the following question fits into operating systems or networking, but i felt safer putting it here

i have about 400 computers, all of which are to be used by students who have nothing but malicious thoughts....so i need to be able to disable the menu bar (File, Edit, View, Tools, Help). ive tried looking through group policy and cant find anything to fit the bill....and also saw a FEW 3rd party programs that said they could do it....but they dont look promising from the networking point of view. i dont care if the menu bar is just dimmed or if its completely gone but it needs to be disabled in some way.

a second problem that im facing is one that seems easier to tackle. in windows xp, you can enable policies to hide the entire notification area (used to be called the system tray...icons in lower right hand corner)....but in 2000 it seems as though theres no equivalent. there are many 3rd party programs for this but once again most dont have the ability to deploy over a network. ive tried taking bits and pieces of the xp adm files to sloppily get something to work but no such luck.

any suggestions are appreciated and ill be able to test any ideas early tomorrow morning. thanks :)
 
Why not just give them user level rights and disable run and browsing of C drive? You could also allow them to run only specified apps and remove access to the control panel. This has always worked for me, and kept even the worst of the worst at bay in the schools that I've consulted for.
 
You can also kick them over to the old Windows 3.1 shell, which will tend to keep them from experimenting as much.

M11's right, though, on Permissions being the big thing.
 
lomn75 said:
You can also kick them over to the old Windows 3.1 shell, which will tend to keep them from experimenting as much.
Click to expand...
for the unfamiliar, progman.exe in %systemroot%
lomn75 said:
M11's right, though, on Permissions being the big thing.
Click to expand...
Yeah, who cares if they can poke around if they can't change anything? The people who poke around for 30 min trying to break something and get nowhere generate a HUGE audit trail......makes it easy on the admins.

Seriously, as long as they cannot browse the C drive, they can't do much given user-level permissions. :D
 
Not practical for 400 computers really, but I've heard of people running entire images to a few computers every startup. Those were like for kiosks.
 
What are these computers used for? User level permissions should only allow them to screw up their stuff, and leave the computer intact, unless they boot WinPE and muck with the disk that way. What attack vectors are you concerned with?
 
theDot said:
Not practical for 400 computers really, but I've heard of people running entire images to a few computers every startup. Those were like for kiosks.
Click to expand...
Say what? He's planning on using group policy, which would be set on the domain controller and will replicate out at the specified poicy refresh interval (typically 15 min or next logon)

Ranma_Sao said:
What are these computers used for? User level permissions should only allow them to screw up their stuff, and leave the computer intact, unless they boot WinPE and muck with the disk that way. What attack vectors are you concerned with?
Click to expand...
This is the sensible question. User level permissions as I've suggested prevent damage to the system. NTFS and registry security is a concrete, enforcable measure, both of which are not open hardly at all to someone in userland. Remove a few additional modification permissions, eg. control panel, time, screen saver, other local settings, etc and you'll be good to go. Disable browsing of C for good measure and allow them to only run specified apps, just to aid in preventing an unexpected elevation hole.

Another good thing to do is set the HD as first in boot sequence, and password protect CMOS setup. This will nullify the vast majority of attempts at using Knoppix/SuperPE/Recovery Console/MSDOS Disks, and even stop virus infected media from damaging the system before Windows boots.
 
its more like 35 computers per 4 labs running out of one server. everything is already completely configured with group policy, profiles and a few scripts i wrote. im not really trying to prevent the user from hurting the computer, more to maintain uniformity. i dont want people changing font sizes, encoding and every other thing that can be found up there. for the most part ive given the users absolutely no rights to anything....its pretty much just office, internet explorer and their own drive for files (H:\)

thanks for all the info ill definitely look into it
 
Ok.... I have the perfect solution for you...

Look up a program called deep freeze. My school was running it on their windows 95 and 98 machines (and there is a version available for Windows 2000/XP as well). It basically locks the system in a state and when you restart the system everything reverts back to the way it was before whoever was messing with it was on it. It's fool proof. The student could format the drive and nothing would happen. You just hit the reset button and your back in business. It'd be perfect I bet. Saves a lot of hassle.

Probably the perfect solution if you don't want them to change any settings (meaning you don't care if stuff is erased from the systems when they are reset). It's pretty reasonably priced as well and I believe it can be deployed over a network.

For a 60-day trial and information check it out here:
http://www.faronics.com/index.asp
 
Canon said:
Ok.... I have the perfect solution for you...

Look up a program called deep freeze. My school was running it on their windows 95 and 98 machines (and there is a version available for Windows 2000/XP as well). It basically locks the system in a state and when you restart the system everything reverts back to the way it was before whoever was messing with it was on it. It's fool proof. The student could format the drive and nothing would happen. You just hit the reset button and your back in business. It'd be perfect I bet. Saves a lot of hassle.

Probably the perfect solution if you don't want them to change any settings (meaning you don't care if stuff is erased from the systems when they are reset). It's pretty reasonably priced as well and I believe it can be deployed over a network.

For a 60-day trial and information check it out here:
http://www.faronics.com/index.asp
Click to expand...
Nah, its better done at the hardware level. It is easy to bypass the software programs like it, and several viruses do. There are also a few tools popular with script kiddies that can get around it.

Take a look at Lenten's Reborn Cards
I have excellent results in the field with these.
 
You must log in or register to reply here.
Back
Top